<p>Sending emails is security-sensitive and can expose an application to a large range of vulnerabilities.</p>
<p><strong>Information Exposure</strong></p>
<p>Emails often contain sensitive information which might be exposed to an attacker if he can add an arbitrary address to the recipient list.</p>
<p><strong>Spamming / Phishing</strong></p>
<p>Malicious user can abuse email based feature to send spam or phishing content.</p>
<p><strong>Dangerous Content Injection</strong></p>
<p>Emails can contain HTML and JavaScript code, thus they can be used for XSS attacks.</p>
<p><strong>Email Headers Injection</strong></p>
<p>Email fields such as <code>subject</code>, <code>to</code>, <code>cc</code>, <code>bcc</code>, <code>from</code> are set in email "headers".&nbsp;
Using unvalidated user input to set those fields&nbsp;might allow attackers to inject new line characters in headers to craft malformed SMTP requests.
Although modern libraries are filtering new line character by default, user data used in&nbsp;email "headers" should always be validated.</p>
<p>In the past, it has led to the following vulnerabilities:</p>
<ul>
  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9801">CVE-2017-9801</a> </li>
  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4803">CVE-2016-4803</a> </li>
</ul>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> Unvalidated user input are used to set email headers. </li>
  <li> Email content contains data provided by users and it is not sanitized. </li>
  <li> Email recipient list or body are based user inputs. </li>
</ul>
<p>You are at risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<ul>
  <li> Use an email library which sanitizes headers (java.mail &gt;= 1.5.6). </li>
  <li> Use html escape functions to sanitize every piece of data used to in the email body. </li>
  <li> Verify application logic to make sure that email base feature can not be abuse to:
    <ul>
      <li> Send arbitrary email for spamming or fishing </li>
      <li> Disclose sensitive email content </li>
    </ul> </li>
</ul>
<h2>Sensitive Code Example</h2>
<pre>
import javax.mail.*;
import javax.mail.internet.MimeMessage;

public class Main {
    public static void sendEmail (Session session, String subject) throws MessagingException{
        Message message = new MimeMessage(session);  // Sensitive

        // For example the setSubject method is vulnerable to Header injection before
        // version 1.5.6 of javamail
        message.setSubject(subject);
        // ...
    }
}
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://www.damonkohler.com/2008/12/email-injection.html">Email Injection</a> </li>
  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP Top 10 2017 Category A1</a> - Injection </li>
  <li> <a href="https://cwe.mitre.org/data/definitions/93.html">MITRE, CWE-93</a> - Improper Neutralization of CRLF Sequences ('CRLF Injection') </li>
  <li> <a href="https://cwe.mitre.org/data/definitions/80.html">MITRE, CWE-80</a> - Improper Neutralization of Script-Related HTML Tags in a Web Page
  (Basic XSS) </li>
  <li> <a href="https://www.sans.org/top25-software-errors/#cat1">SANS Top 25</a> - Insecure Interaction Between Components </li>
</ul>

